The power of collaboration: A Business Continuity Management System for the Alberta Post-Secondary Sector. Jim Ross CISA CRMA MacEwan University

Transcription

1 The power of collaboration: A Business Continuity Management System for the Alberta Post-Secondary Sector Jim Ross CISA CRMA MacEwan University

2 Campus Alberta Risk and Assurance Committee ( CARA ) CARA is a coordinating body providing a network for post-secondaries ( PSI ) to work collaboratively towards the building and sharing of information and resources in the areas of risk management. It is responsible to the Alberta Post Secondary Senior Business Officers ( SBO ) Group. May 17, 2018 CARA Business Continity Management System 2

3 CARA CARA embraces the following disciplines: Enterprise Risk Management Emergency Management Business Continuity Management Disaster Recovery Internal Audit Legislative Compliance Health and Safety Security Services Insurance May 17, 2018 CARA Business Continity Management System 3

4 History Formed in 2011 in response to a recommendation to the PSIs from the Alberta Auditor General (OAG) to implement ERM and Emergency Management. CARA conducts its business as a committee. Participation on the committee is open to all 26 Alberta post-secondaries. The Ministry of Advanced Education has ex officio representation May 17, 2018 CARA Business Continity Management System 4

5 History cont d Initially shared best practice control documents in Emergency Management and Risk Management. Sponsored ISO Risk Management training. Held its first Symposium in OAG presented on best practice ERM. May 17, 2018 CARA Business Continity Management System 5

6 Past Projects In 2013 CARA sponsored the collaboration of several Alberta postsecondaries that created the Shooter on Campus: Know You Can Survive, a nine-minute video which provides students and staff with the best information available about how to respond to an active shooter situation. The video can be found on You Tube. Here is a link to the MacEwanbranded version: May 17, 2018 CARA Business Continity Management System 6

7 Business Continuity Management System Project Looking for its next project the BCMS project was pitched to the CARA Committee in November Confirmed at January 2015 meeting. Started the business case. Pitched the project in June 2015 to the Alberta Association in Higher Education for Information Technology (AAHEIT) looking for funding partner. Funding confirmed in September. RFP issued October 31. Closed November submissions reviewed between Nov 30 and Dec 11. Contract awarded December 18. Work started in January Finished October, 2016 The Working Group: 20 people representing 12 Alberta Post-Secondaries May 17, 2018 CARA Business Continity Management System 7

8 Survey A Business Continuity Management System is an important pillar of an integrated business resiliency program, which includes Enterprise Risk Management, Emergency Management, Incident Management and Disaster Recovery, that protects the institution's core business of delivering education and protects an institution's most valuable assets: people, infrastructure, information and reputation. May 17, 2018 CARA Business Continity Management System 8

9 What is the maturity level of your business continuity management? May 17, 2018 CARA Business Continity Management System 9

10 When do you plan to implement a Business Continuity Management System? May 17, 2018 CARA Business Continity Management System 10

11 What are the barriers to implementation? (1- most relevant, 6 - least) May 17, 2018 CARA Business Continity Management System 11

12 Project Description The project delivered a best-practice set of deliverables designed to maintain continuous operations through the discipline of Business Continuity Management. The project deliverables can be used by all institutions to identify threats, assess their impact to academic and administrative processes and build response plans across their entire operations. May 17, 2018 CARA Business Continity Management System 12

13 Organizational Resiliency Recognition that this project is one element in an overall program of resiliency. A resilient organization has processes and tools in place enabling readiness, response and recovery. Our post-secondary institutions face an unrelenting series of challenges, threats and opportunities. In order to preserve the value we have created, we need to be resilient in the face of change. Business continuity planning is one piece of an integrated resiliency framework. Never wait for an incident to appreciate the value of resilience May 17, 2018 CARA Business Continity Management System 13

14 MNP publication titled The Resilient Enterprise Six Guiding Principles for Sustainable Success May 17, 2018 CARA Business Continity Management System 14

15 Project Drivers The Government of Alberta promotes Campus Alberta and its goals of an accessible, affordable, quality, and sustainable post-secondary system in Alberta that fosters innovation, entrepreneurship, and collaboration. Alberta post-secondary institutions play their part in many ways, not least by looking for collaborative projects that promote value in the delivery of education and services. May 17, 2018 CARA Business Continity Management System 15

16 Project Drivers Post-secondaries have experienced unprecedented change in the market, workforce, legislation, external regulators, risks, resources and strategic priorities. There is an explicit expectation that the sector collaborate more effectively to address common problems. Although a number of initiatives have been identified, it is recognized that institution resources are already stretched to the maximum. May 17, 2018 CARA Business Continity Management System 16

17 Project Approach Based on a very successful previous project. The Information Technology Management (ITM) Control Framework Program ran from Sponsored by the Ministry of Advanced Education and the Alberta Association in Higher Education for Information Technology (AAHEIT). Delivered 200+ control documents to the PSIs. May 17, 2018 CARA Business Continity Management System 17

18 Project Approach Collaborative model originates from the University of Albany s Center for Technology in Government May 17, 2018 CARA Business Continity Management System 18

19 This model has been adapted and implemented by several initiatives including the Provincial ITM Control Framework Program, the Government of Alberta Information Sharing Strategy, and other cross government collaborative ITM Control Framework Programs. May 17, 2018 CARA Business Continity Management System 19

20 Success factors for the collaboration model Leadership shared vision and goals Trust personal trust that participants will be treated fairly and respectfully; professional trust that participant's motives are pure and expertise is reliable Coordination well-orchestrated to leverage existing assets (technology, organizational and human resources) Risk Management external risks from socioeconomic, political and technological environments; internal risks from the projects, the participants, and their relationships Communication - consistent, ongoing knowledge sharing through both formal and informal channels May 17, 2018 CARA Business Continity Management System 20

21 CARA s Collaborative Model The collaborative approach was designed to: Improve the sectors overall risk management, emergency response planning, business continuity and business resilience; Leverage economies of scale; Avoid redundant work thus reducing the cost to the system; Optimize resource use; Leverage existing work and common frameworks; and Expand shared services. May 17, 2018 CARA Business Continity Management System 21

22 Project Governance Project Consultant Documentation & Approval Process Working Group Project Steering Committee CARA Committee Analyze Draft Deliverables Recommend Approve Existing Documents Legislation Industry Standards Feeback Feeback Endorse, Communicate, Distribute AAHEIT SBOs CARA Members May 17, 2018 CARA Business Continity Management System 22

23 Project Milestones Jan 19/16 Jan. 22/16 Jan. 22/16 Mar. 4/16 Project Start-up Activities (project charter, logistics) Kick-off Meeting - BCMS Project Steering Committee Approve Project Charter Conduct Research & Environmental Scan Mar. 14/16 Mar. 29/16 Apr. 13/16 Apr. 21/16 Draft BCM Framework Analyze Control & Tool Requirements Facilitate Project Orientation Workshop Validate Framework, Controls & Tools Listing Apr. 21 Oct. 5/16 Apr. 21 Oct. 5/16 Apr. 21 Oct. 5/16 Apr. 21 Oct.12/16 Draft Controls & Tools WG Review Drafts & Provide Input Incorporate Feedback & Finalize PSC Review & Provide Input *A repeated cycle from April 4 Oct 5, 2016 with Working Group Apr.21 - Oct. 20/16 Develop Exec Summary and Implementation Guide Oct. 12/16 PSC Final Approval of Deliverables Oct. 20 /16 Facilitate Project Closure Workshop May 17, 2018 CARA Business Continity Management System 23

24 BCMS Framework Institution Strategic Plan Business Resiliency Program Organizational Governance & Culture BCMS Framework Sustainment Planning Assessment Guiding Precepts Foundation Emergency Response Policy Incident Management Policy Legislation / Industry Standards BCM Organization BCM Maturity Model BCM Readiness BCM Policy or Standard BCM Strategy BCM Principles BCM Scope BCM Roadmap Business Impact Analysis Risk Assessment Enterprise BCM Plan Business Unit BCM Plan(s) IT Disaster Recovery Plan Communication, Awareness & Training BCM Testing & Maintenance BCM Audit Repository Continuous Improvement May 17, 2018 CARA Business Continity Management System 24

25 Relational Diagram May 17, 2018 CARA Business Continity Management System 25

26 Free for Use! The BCMS is available here: It is licensed under a Creative Commons Attribution 4.0 International License: May 17, 2018 CARA Business Continity Management System 26

27 Update NAIT NorQuest MacEwan Alberta Office of the Auditor General May 17, 2018 CARA Business Continity Management System 27